[vijayaggarwal]

We already have a fairly good solution to this problem in OAuth. However, current popular implementations of OAuth are third-party owned which is not desirable for many reasons (for example, google won't use facebook owned OAuth, and vice-versa).

Ideally, we should have a self-owned OAuth service implemented by browsers or operating systems. And the APIs of this service should be standardized. Also, the storage should be locally available with remote sync optionally available for backup and cross-device syncing.

[Excavator]

Something like the Firefox Accounts¹ project? Which has Oauth2 support² in the works.

1: https://wiki.mozilla.org/Identity/Firefox_Accounts

2: https://github.com/mozilla/fxa-oauth-server

[vijayaggarwal]

FxA is primarily for Firefox's own products and services. Mozilla Persona (confusing name - personas is what they called firefox themes as well) is closer.

[Excavator]

Yea but there's really no good docs for Persona around anymore, that I can find.

The plan is to use Persona for ones FxA:

> One we get the basics down and enable single sign-on for relying Mozilla Services with your Firefox Account, we hope integrate Firefox Accounts with Persona on the Web and Firefox user agents to make logging in everywhere as painless as it should be.

[icebraining]

I think that was Microsoft Passport. More recently, it's Mozilla Persona. The problem has always been a lack of incentives for websites to implement them, coupled with user indifference.

[vijayaggarwal]

[Edit]: added comment on Mozilla Persona.

I would disagree. It's common knowledge (backed by many A/B tests) that shorter sign-up forms see less traffic drop. So, if OAuth can replace a number of things (name, email, password, email verification, and so on) by a couple of clicks, I as a website owner will be very happy. Also, when sending interesting emails to inactive users, I see quite a few come back but drop again after a few unsuccessful login attempts. Again, OAuth will help.

The reasons website owners (at least I) don't use facebook or google's OAuth are following:

1. They brand their service too much. The button itself says Login with Facebook/Google. I don't want my users' mind share to be consumed by them. Everything from login/logout to account management happens on pages in the context of their brand. Browser/OS providing this service is much less problematic, and even they should have pluggable services for replacing their default implementations, just like the ability to change the default browser on any OS.

2. They own the data and not the user. I have faced an incident in the past where one of my games was blocked by facebook because they thought it was gambling. I lost 95% of my users in one stroke. It took me two weeks haggling with FB to get my game whitelisted again. Still, the damage was done and we could never fully recover. The data must be owned by the end user and stored in open format so that user can take it freely from one place to another, just like I can take my contacts in vCard format to wherever I like.

3. Any such solution (especially when so heavily branded) will naturally turn other big players hostile. for example, facebook and google will have their own separate implementations instead of having a common one. This will almost ensure that standardization will hot take place. One button each for signup with Facebok/Google/LinkedIn/OpenID/... doesn't make for great UX and it's unnecessary overhead for website owners.

Mozilla persona is a good initiative. Hope they prefer standardization over trying to use it to promote their own browser.

[Excavator]

> Mozilla persona is a good initiative. Hope they prefer standardization over trying to use it to promote their own browser.

Well, there's this:

https://groups.google.com/forum/#!topic/mozilla.dev.identity...